You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@kudu.apache.org by "Alexey Serbin (Code Review)" <ge...@cloudera.org> on 2021/03/18 23:24:59 UTC
[kudu-CR] KUDU-1926: disable TLS/SSL session renegotiation
Alexey Serbin has uploaded this change for review. ( http://gerrit.cloudera.org:8080/17204
Change subject: KUDU-1926: disable TLS/SSL session renegotiation
......................................................................
KUDU-1926: disable TLS/SSL session renegotiation
This patch disables TLS ciphers renegotiation for TLSv1.2 and prior.
In case of OpenSSL version 1.1.0h and newer, we are using
SSL_OP_NO_RENEGOTIATION option to all renegotiation. In case of OpenSSL
version prior to 1.1.0a, the undocumented
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is used. See [1], [2] and [3]
for more context.
The moot point is the version interval between 1.1.0a and 1.1.0g: the
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is already gone, but
SSL_OP_NO_RENEGOTIATION is not yet present.
[1] https://www.openssl.org/docs/man1.1.0/man3/SSL_set_options.html
[2] https://github.com/openssl/openssl/blob/f9398cc2b31858ddaaea3f5cfec2fce7f9b90347/CHANGES#L1038-L1049
[3] https://github.com/openssl/openssl/issues/4739
Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
---
M src/kudu/security/tls_context.cc
1 file changed, 26 insertions(+), 0 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/04/17204/1
--
To view, visit http://gerrit.cloudera.org:8080/17204
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
Gerrit-Change-Number: 17204
Gerrit-PatchSet: 1
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
[kudu-CR] KUDU-1926: disable TLS/SSL renegotiation
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17204 )
Change subject: KUDU-1926: disable TLS/SSL renegotiation
......................................................................
Patch Set 3:
> Patch Set 3: Code-Review+2
Thank you for review!
--
To view, visit http://gerrit.cloudera.org:8080/17204
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
Gerrit-Change-Number: 17204
Gerrit-PatchSet: 3
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Comment-Date: Tue, 23 Mar 2021 02:23:17 +0000
Gerrit-HasComments: No
[kudu-CR] KUDU-1926: disable TLS/SSL renegotiation
Posted by "Andrew Wong (Code Review)" <ge...@cloudera.org>.
Andrew Wong has posted comments on this change. ( http://gerrit.cloudera.org:8080/17204 )
Change subject: KUDU-1926: disable TLS/SSL renegotiation
......................................................................
Patch Set 3: Code-Review+2
--
To view, visit http://gerrit.cloudera.org:8080/17204
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
Gerrit-Change-Number: 17204
Gerrit-PatchSet: 3
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Comment-Date: Tue, 23 Mar 2021 02:00:51 +0000
Gerrit-HasComments: No
[kudu-CR] KUDU-1926: disable TLS/SSL renegotiation
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Hello Attila Bukor, Kudu Jenkins, Andrew Wong, Grant Henke,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/17204
to look at the new patch set (#3).
Change subject: KUDU-1926: disable TLS/SSL renegotiation
......................................................................
KUDU-1926: disable TLS/SSL renegotiation
This patch disables TLS ciphers renegotiation for TLSv1.2 and prior
protocol versions. In case of OpenSSL version 1.1.0h and newer, we are
using SSL_OP_NO_RENEGOTIATION option to disable all renegotiations. In
case of OpenSSL version prior to 1.1.0a, the undocumented flag
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS is used. See [1], [2] and [3]
for more context.
The moot point is the version interval between 1.1.0a and 1.1.0g
(inclusive): the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is no longer
available from the application side, but SSL_OP_NO_RENEGOTIATION is not
yet present. So, if a server binary has been compiled with OpenSSL in
the specified version range, it's still advertising the renegotiation
option, even if it's run against OpenSSL 1.1.0h or later versions.
[1] https://www.openssl.org/docs/man1.1.0/man3/SSL_set_options.html
[2] https://github.com/openssl/openssl/blob/f9398cc2b31858ddaaea3f5cfec2fce7f9b90347/CHANGES#L1038-L1049
[3] https://github.com/openssl/openssl/issues/4739
Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
---
M src/kudu/security/tls_context.cc
1 file changed, 25 insertions(+), 2 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/04/17204/3
--
To view, visit http://gerrit.cloudera.org:8080/17204
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
Gerrit-Change-Number: 17204
Gerrit-PatchSet: 3
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
[kudu-CR] KUDU-1926: disable TLS/SSL renegotiation
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/17204 )
Change subject: KUDU-1926: disable TLS/SSL renegotiation
......................................................................
KUDU-1926: disable TLS/SSL renegotiation
This patch disables TLS ciphers renegotiation for TLSv1.2 and prior
protocol versions. In case of OpenSSL version 1.1.0h and newer, we are
using SSL_OP_NO_RENEGOTIATION option to disable all renegotiations. In
case of OpenSSL version prior to 1.1.0a, the undocumented flag
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS is used. See [1], [2] and [3]
for more context.
The moot point is the version interval between 1.1.0a and 1.1.0g
(inclusive): the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is no longer
available from the application side, but SSL_OP_NO_RENEGOTIATION is not
yet present. So, if a server binary has been compiled with OpenSSL in
the specified version range, it's still advertising the renegotiation
option, even if it's run against OpenSSL 1.1.0h or later versions.
[1] https://www.openssl.org/docs/man1.1.0/man3/SSL_set_options.html
[2] https://github.com/openssl/openssl/blob/f9398cc2b31858ddaaea3f5cfec2fce7f9b90347/CHANGES#L1038-L1049
[3] https://github.com/openssl/openssl/issues/4739
Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
Reviewed-on: http://gerrit.cloudera.org:8080/17204
Tested-by: Kudu Jenkins
Reviewed-by: Andrew Wong <aw...@cloudera.com>
---
M src/kudu/security/tls_context.cc
1 file changed, 25 insertions(+), 2 deletions(-)
Approvals:
Kudu Jenkins: Verified
Andrew Wong: Looks good to me, approved
--
To view, visit http://gerrit.cloudera.org:8080/17204
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
Gerrit-Change-Number: 17204
Gerrit-PatchSet: 4
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
[kudu-CR] KUDU-1926: disable TLS/SSL renegotiation
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17204 )
Change subject: KUDU-1926: disable TLS/SSL renegotiation
......................................................................
Patch Set 2:
(3 comments)
http://gerrit.cloudera.org:8080/#/c/17204/2//COMMIT_MSG
Commit Message:
http://gerrit.cloudera.org:8080/#/c/17204/2//COMMIT_MSG@11
PS2, Line 11: to all
> nit: to disable all?
Done
http://gerrit.cloudera.org:8080/#/c/17204/2//COMMIT_MSG@16
PS2, Line 16: The moot point is the version interval between 1.1.0a and 1.1.0g: the
: SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is already gone, but
: SSL_OP_NO_RENEGOTIATION is not yet present.
> Just making sure I understand: this means we still renegotiate if compiling
Right: if compiling with OpenSSL in the specified version range, the server is still advertising the renegotiation option. That's true even if the server is effectively run against 1.1.0h or later version.
I added an extra blurb about this.
As for whether cipher or other renegotiation happens during or after establishing an RPC connection, I guess Kudu components never do that, with or without this patch. This change is more about disabling the options which aren't used by Kudu, but make the system less secure.
This patch removes one more option which was turned on by default but wasn't used by Kudu.
http://gerrit.cloudera.org:8080/#/c/17204/2/src/kudu/security/tls_context.cc
File src/kudu/security/tls_context.cc:
http://gerrit.cloudera.org:8080/#/c/17204/2/src/kudu/security/tls_context.cc@186
PS2, Line 186: //
> nit: maybe note the Jira here too?
Done
--
To view, visit http://gerrit.cloudera.org:8080/17204
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
Gerrit-Change-Number: 17204
Gerrit-PatchSet: 2
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Comment-Date: Mon, 22 Mar 2021 23:23:09 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-1926: disable TLS/SSL session renegotiation
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17204 )
Change subject: KUDU-1926: disable TLS/SSL session renegotiation
......................................................................
Patch Set 2:
There is funny crash with SIGSEGV if running under TSAN: I'll need to clarify on that.
home/jenkins-slave/workspace/kudu-master/1/src/kudu/tools/kudu-tool-test.cc:315
Failed
Bad status: Runtime error: /tmp/dist-test-task4slHfE/build/tsan/bin/kudu: process exited on signal 11 (core dumped)
Google Test trace:
/home/jenkins-slave/workspace/kudu-master/1/src/kudu/tools/kudu-tool-test.cc:314: W0319 06:43:49.983834 27011 flags.cc:411] Enabled unsafe flag: --openssl_security_level_override=0
W0319 06:43:49.984328 27011 flags.cc:411] Enabled unsafe flag: --never_fsync=true
W0319 06:43:50.808722 27011 thread.cc:616] rpc reactor (reactor) Time spent creating pthread: real 0.775s user 0.356s sys 0.418s
W0319 06:43:50.809056 27011 thread.cc:582] rpc reactor (reactor) Time spent starting thread: real 0.775s user 0.356s sys 0.418s
*** Aborted at 1616136230 (unix time) try "date -d @1616136230" if you are using GNU date ***
PC: @ 0x7fd2b07fa26a __GI___pthread_rwlock_unlock
*** SIGSEGV (@0x18) received by PID 27011 (TID 0x7fd2a1883700) from PID 24; stack trace: ***
@ 0x4f8b10 __tsan::CallUserSignalHandler()
@ 0x4fb027 rtl_sigaction()
@ 0x7fd2b07ff980 (unknown)
@ 0x7fd2b07fa26a __GI___pthread_rwlock_unlock
@ 0x4ff2b2 pthread_rwlock_unlock
@ 0x7fd2aed4e8a9 CRYPTO_THREAD_unlock
@ 0x7fd2aece481f CRYPTO_free_ex_data
@ 0x7fd2aed183b2 RSA_free
@ 0x7fd2aecdfc9b (unknown)
@ 0x7fd2aece0899 EVP_PKEY_free
@ 0x7fd2aed6965c (unknown)
@ 0x7fd2aec0fac7 (unknown)
@ 0x7fd2aec0fc30 (unknown)
@ 0x7fd2aec0fa26 (unknown)
@ 0x7fd2aec0fc30 (unknown)
@ 0x7fd2aec0fa26 (unknown)
@ 0x7fd2aec0fb55 ASN1_item_free
@ 0x7fd2aed5d069 X509_OBJECT_free
@ 0x7fd2aed4afc0 OPENSSL_sk_pop_free
@ 0x7fd2aed5d5ac X509_STORE_free
@ 0x7fd2ae919af4 SSL_CTX_free
@ 0x7fd2af657c88 _ZNSt3__18__invokeIRPFvP10ssl_ctx_stEJS2_EEEDTclclsr3std3__1E7forwardIT_Efp_Espclsr3std3__1E7forwardIT0_Efp0_EEEOS6_DpOS7_
@ 0x7fd2af657bf4 _ZNSt3__128__invoke_void_return_wrapperIvE6__callIJRPFvP10ssl_ctx_stES4_EEEvDpOT_
@ 0x7fd2af657ba4 std::__1::__function::__alloc_func<>::operator()()
@ 0x7fd2af6567dd std::__1::__function::__func<>::operator()()
@ 0x7fd2afd074b7 std::__1::__function::__value_func<>::operator()()
@ 0x7fd2afd073ec std::__1::function<>::operator()()
@ 0x7fd2afd072fe std::__1::unique_ptr<>::reset()
@ 0x7fd2afd06dbc std::__1::unique_ptr<>::~unique_ptr()
@ 0x7fd2afd06d4a kudu::security::TlsContext::~TlsContext()
@ 0x7fd2afd06c9f std::__1::default_delete<>::operator()()
@ 0x7fd2afd06c0e std::__1::unique_ptr<>::reset()
/home/jenkins-slave/workspace/kudu-master/1/src/kudu/tools/kudu-tool-test.cc:313: (int32 key=1) (int32 key=2) (int32 key=3) (int32 key=4) (int32 key=5) T ebd1313dc9ed4e9393c8c966988f7681 scanned count 5 cost 0.0375527 seconds Total count 5 cost 0.0400349 seconds
--
To view, visit http://gerrit.cloudera.org:8080/17204
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
Gerrit-Change-Number: 17204
Gerrit-PatchSet: 2
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Comment-Date: Fri, 19 Mar 2021 07:10:20 +0000
Gerrit-HasComments: No
[kudu-CR] KUDU-1926: disable TLS/SSL session renegotiation
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17204 )
Change subject: KUDU-1926: disable TLS/SSL session renegotiation
......................................................................
Patch Set 1: Verified+1
Unrelated TSAN warning while running Params/ScanYourWritesParamTest.Test/1
--
To view, visit http://gerrit.cloudera.org:8080/17204
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
Gerrit-Change-Number: 17204
Gerrit-PatchSet: 1
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Comment-Date: Fri, 19 Mar 2021 00:50:02 +0000
Gerrit-HasComments: No
[kudu-CR] KUDU-1926: disable TLS/SSL session renegotiation
Posted by "Grant Henke (Code Review)" <ge...@cloudera.org>.
Grant Henke has posted comments on this change. ( http://gerrit.cloudera.org:8080/17204 )
Change subject: KUDU-1926: disable TLS/SSL session renegotiation
......................................................................
Patch Set 2: Code-Review+1
--
To view, visit http://gerrit.cloudera.org:8080/17204
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
Gerrit-Change-Number: 17204
Gerrit-PatchSet: 2
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Comment-Date: Sun, 21 Mar 2021 01:19:29 +0000
Gerrit-HasComments: No
[kudu-CR] KUDU-1926: disable TLS/SSL session renegotiation
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Hello Attila Bukor, Kudu Jenkins, Grant Henke,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/17204
to look at the new patch set (#2).
Change subject: KUDU-1926: disable TLS/SSL session renegotiation
......................................................................
KUDU-1926: disable TLS/SSL session renegotiation
This patch disables TLS ciphers renegotiation for TLSv1.2 and prior.
In case of OpenSSL version 1.1.0h and newer, we are using
SSL_OP_NO_RENEGOTIATION option to all renegotiation. In case of OpenSSL
version prior to 1.1.0a, the undocumented
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is used. See [1], [2] and [3]
for more context.
The moot point is the version interval between 1.1.0a and 1.1.0g: the
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is already gone, but
SSL_OP_NO_RENEGOTIATION is not yet present.
[1] https://www.openssl.org/docs/man1.1.0/man3/SSL_set_options.html
[2] https://github.com/openssl/openssl/blob/f9398cc2b31858ddaaea3f5cfec2fce7f9b90347/CHANGES#L1038-L1049
[3] https://github.com/openssl/openssl/issues/4739
Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
---
M src/kudu/security/tls_context.cc
1 file changed, 25 insertions(+), 2 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/04/17204/2
--
To view, visit http://gerrit.cloudera.org:8080/17204
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
Gerrit-Change-Number: 17204
Gerrit-PatchSet: 2
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
[kudu-CR] KUDU-1926: disable TLS/SSL session renegotiation
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17204 )
Change subject: KUDU-1926: disable TLS/SSL session renegotiation
......................................................................
Patch Set 2: Verified+1
> There is funny crash with SIGSEGV if running under TSAN: I'll need
> to clarify on that.
>
>
> home/jenkins-slave/workspace/kudu-master/1/src/kudu/tools/kudu-tool-test.cc:315
> Failed
> Bad status: Runtime error: /tmp/dist-test-task4slHfE/build/tsan/bin/kudu:
> process exited on signal 11 (core dumped)
> Google Test trace:
> /home/jenkins-slave/workspace/kudu-master/1/src/kudu/tools/kudu-tool-test.cc:314:
> W0319 06:43:49.983834 27011 flags.cc:411] Enabled unsafe flag:
> --openssl_security_level_override=0
> W0319 06:43:49.984328 27011 flags.cc:411] Enabled unsafe flag:
> --never_fsync=true
> W0319 06:43:50.808722 27011 thread.cc:616] rpc reactor (reactor)
> Time spent creating pthread: real 0.775s user 0.356s sys 0.418s
> W0319 06:43:50.809056 27011 thread.cc:582] rpc reactor (reactor)
> Time spent starting thread: real 0.775s user 0.356s sys 0.418s
> *** Aborted at 1616136230 (unix time) try "date -d @1616136230" if
> you are using GNU date ***
> PC: @ 0x7fd2b07fa26a __GI___pthread_rwlock_unlock
> *** SIGSEGV (@0x18) received by PID 27011 (TID 0x7fd2a1883700) from
> PID 24; stack trace: ***
> @ 0x4f8b10 __tsan::CallUserSignalHandler()
> @ 0x4fb027 rtl_sigaction()
> @ 0x7fd2b07ff980 (unknown)
> @ 0x7fd2b07fa26a __GI___pthread_rwlock_unlock
> @ 0x4ff2b2 pthread_rwlock_unlock
> @ 0x7fd2aed4e8a9 CRYPTO_THREAD_unlock
> @ 0x7fd2aece481f CRYPTO_free_ex_data
> @ 0x7fd2aed183b2 RSA_free
> @ 0x7fd2aecdfc9b (unknown)
> @ 0x7fd2aece0899 EVP_PKEY_free
> @ 0x7fd2aed6965c (unknown)
> @ 0x7fd2aec0fac7 (unknown)
> @ 0x7fd2aec0fc30 (unknown)
> @ 0x7fd2aec0fa26 (unknown)
> @ 0x7fd2aec0fc30 (unknown)
> @ 0x7fd2aec0fa26 (unknown)
> @ 0x7fd2aec0fb55 ASN1_item_free
> @ 0x7fd2aed5d069 X509_OBJECT_free
> @ 0x7fd2aed4afc0 OPENSSL_sk_pop_free
> @ 0x7fd2aed5d5ac X509_STORE_free
> @ 0x7fd2ae919af4 SSL_CTX_free
> @ 0x7fd2af657c88 _ZNSt3__18__invokeIRPFvP10ssl_ctx_stEJS2_EEEDTclclsr3std3__1E7forwardIT_Efp_Espclsr3std3__1E7forwardIT0_Efp0_EEEOS6_DpOS7_
> @ 0x7fd2af657bf4 _ZNSt3__128__invoke_void_return_wrapperIvE6__callIJRPFvP10ssl_ctx_stES4_EEEvDpOT_
> @ 0x7fd2af657ba4 std::__1::__function::__alloc_func<>::operator()()
> @ 0x7fd2af6567dd std::__1::__function::__func<>::operator()()
> @ 0x7fd2afd074b7 std::__1::__function::__value_func<>::operator()()
> @ 0x7fd2afd073ec std::__1::function<>::operator()()
> @ 0x7fd2afd072fe std::__1::unique_ptr<>::reset()
> @ 0x7fd2afd06dbc std::__1::unique_ptr<>::~unique_ptr()
> @ 0x7fd2afd06d4a kudu::security::TlsContext::~TlsContext()
> @ 0x7fd2afd06c9f std::__1::default_delete<>::operator()()
> @ 0x7fd2afd06c0e std::__1::unique_ptr<>::reset()
> /home/jenkins-slave/workspace/kudu-master/1/src/kudu/tools/kudu-tool-test.cc:313:
> (int32 key=1) (int32 key=2) (int32 key=3) (int32 key=4) (int32
> key=5) T ebd1313dc9ed4e9393c8c966988f7681 scanned count 5 cost
> 0.0375527 seconds Total count 5 cost 0.0400349 seconds
I could not reproduce the flake.
> There is funny crash with SIGSEGV if running under TSAN: I'll need
> to clarify on that.
>
>
> home/jenkins-slave/workspace/kudu-master/1/src/kudu/tools/kudu-tool-test.cc:315
> Failed
> Bad status: Runtime error: /tmp/dist-test-task4slHfE/build/tsan/bin/kudu:
> process exited on signal 11 (core dumped)
> Google Test trace:
> /home/jenkins-slave/workspace/kudu-master/1/src/kudu/tools/kudu-tool-test.cc:314:
> W0319 06:43:49.983834 27011 flags.cc:411] Enabled unsafe flag:
> --openssl_security_level_override=0
> W0319 06:43:49.984328 27011 flags.cc:411] Enabled unsafe flag:
> --never_fsync=true
> W0319 06:43:50.808722 27011 thread.cc:616] rpc reactor (reactor)
> Time spent creating pthread: real 0.775s user 0.356s sys 0.418s
> W0319 06:43:50.809056 27011 thread.cc:582] rpc reactor (reactor)
> Time spent starting thread: real 0.775s user 0.356s sys 0.418s
> *** Aborted at 1616136230 (unix time) try "date -d @1616136230" if
> you are using GNU date ***
> PC: @ 0x7fd2b07fa26a __GI___pthread_rwlock_unlock
> *** SIGSEGV (@0x18) received by PID 27011 (TID 0x7fd2a1883700) from
> PID 24; stack trace: ***
> @ 0x4f8b10 __tsan::CallUserSignalHandler()
> @ 0x4fb027 rtl_sigaction()
> @ 0x7fd2b07ff980 (unknown)
> @ 0x7fd2b07fa26a __GI___pthread_rwlock_unlock
> @ 0x4ff2b2 pthread_rwlock_unlock
> @ 0x7fd2aed4e8a9 CRYPTO_THREAD_unlock
> @ 0x7fd2aece481f CRYPTO_free_ex_data
> @ 0x7fd2aed183b2 RSA_free
> @ 0x7fd2aecdfc9b (unknown)
> @ 0x7fd2aece0899 EVP_PKEY_free
> @ 0x7fd2aed6965c (unknown)
> @ 0x7fd2aec0fac7 (unknown)
> @ 0x7fd2aec0fc30 (unknown)
> @ 0x7fd2aec0fa26 (unknown)
> @ 0x7fd2aec0fc30 (unknown)
> @ 0x7fd2aec0fa26 (unknown)
> @ 0x7fd2aec0fb55 ASN1_item_free
> @ 0x7fd2aed5d069 X509_OBJECT_free
> @ 0x7fd2aed4afc0 OPENSSL_sk_pop_free
> @ 0x7fd2aed5d5ac X509_STORE_free
> @ 0x7fd2ae919af4 SSL_CTX_free
> @ 0x7fd2af657c88 _ZNSt3__18__invokeIRPFvP10ssl_ctx_stEJS2_EEEDTclclsr3std3__1E7forwardIT_Efp_Espclsr3std3__1E7forwardIT0_Efp0_EEEOS6_DpOS7_
> @ 0x7fd2af657bf4 _ZNSt3__128__invoke_void_return_wrapperIvE6__callIJRPFvP10ssl_ctx_stES4_EEEvDpOT_
> @ 0x7fd2af657ba4 std::__1::__function::__alloc_func<>::operator()()
> @ 0x7fd2af6567dd std::__1::__function::__func<>::operator()()
> @ 0x7fd2afd074b7 std::__1::__function::__value_func<>::operator()()
> @ 0x7fd2afd073ec std::__1::function<>::operator()()
> @ 0x7fd2afd072fe std::__1::unique_ptr<>::reset()
> @ 0x7fd2afd06dbc std::__1::unique_ptr<>::~unique_ptr()
> @ 0x7fd2afd06d4a kudu::security::TlsContext::~TlsContext()
> @ 0x7fd2afd06c9f std::__1::default_delete<>::operator()()
> @ 0x7fd2afd06c0e std::__1::unique_ptr<>::reset()
> /home/jenkins-slave/workspace/kudu-master/1/src/kudu/tools/kudu-tool-test.cc:313:
> (int32 key=1) (int32 key=2) (int32 key=3) (int32 key=4) (int32
> key=5) T ebd1313dc9ed4e9393c8c966988f7681 scanned count 5 cost
> 0.0375527 seconds Total count 5 cost 0.0400349 seconds
I could not reproduce the flake. And I'm quite sure it's not related to the essence of this patch.
--
To view, visit http://gerrit.cloudera.org:8080/17204
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
Gerrit-Change-Number: 17204
Gerrit-PatchSet: 2
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Comment-Date: Sat, 20 Mar 2021 01:14:09 +0000
Gerrit-HasComments: No
[kudu-CR] KUDU-1926: disable TLS/SSL session renegotiation
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17204 )
Change subject: KUDU-1926: disable TLS/SSL session renegotiation
......................................................................
Patch Set 1:
> Unrelated TSAN warning while running Params/ScanYourWritesParamTest.Test/1
I posted a separate patch to fix the race reported by TSAN:
https://gerrit.cloudera.org/#/c/17205/
--
To view, visit http://gerrit.cloudera.org:8080/17204
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
Gerrit-Change-Number: 17204
Gerrit-PatchSet: 1
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Comment-Date: Fri, 19 Mar 2021 04:04:04 +0000
Gerrit-HasComments: No
[kudu-CR] KUDU-1926: disable TLS/SSL session renegotiation
Posted by "Andrew Wong (Code Review)" <ge...@cloudera.org>.
Andrew Wong has posted comments on this change. ( http://gerrit.cloudera.org:8080/17204 )
Change subject: KUDU-1926: disable TLS/SSL session renegotiation
......................................................................
Patch Set 2: Code-Review+1
(3 comments)
http://gerrit.cloudera.org:8080/#/c/17204/2//COMMIT_MSG
Commit Message:
http://gerrit.cloudera.org:8080/#/c/17204/2//COMMIT_MSG@11
PS2, Line 11: to all
nit: to disable all?
http://gerrit.cloudera.org:8080/#/c/17204/2//COMMIT_MSG@16
PS2, Line 16: The moot point is the version interval between 1.1.0a and 1.1.0g: the
: SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag is already gone, but
: SSL_OP_NO_RENEGOTIATION is not yet present.
Just making sure I understand: this means we still renegotiate if compiling with an OpenSSL version in this range, right?
http://gerrit.cloudera.org:8080/#/c/17204/2/src/kudu/security/tls_context.cc
File src/kudu/security/tls_context.cc:
http://gerrit.cloudera.org:8080/#/c/17204/2/src/kudu/security/tls_context.cc@186
PS2, Line 186: //
nit: maybe note the Jira here too?
--
To view, visit http://gerrit.cloudera.org:8080/17204
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
Gerrit-Change-Number: 17204
Gerrit-PatchSet: 2
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Comment-Date: Mon, 22 Mar 2021 20:43:10 +0000
Gerrit-HasComments: Yes
[kudu-CR] KUDU-1926: disable TLS/SSL session renegotiation
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has removed a vote on this change.
Change subject: KUDU-1926: disable TLS/SSL session renegotiation
......................................................................
Removed Verified-1 by Kudu Jenkins (120)
--
To view, visit http://gerrit.cloudera.org:8080/17204
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: deleteVote
Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
Gerrit-Change-Number: 17204
Gerrit-PatchSet: 2
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
[kudu-CR] KUDU-1926: disable TLS/SSL session renegotiation
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has removed a vote on this change.
Change subject: KUDU-1926: disable TLS/SSL session renegotiation
......................................................................
Removed Verified-1 by Kudu Jenkins (120)
--
To view, visit http://gerrit.cloudera.org:8080/17204
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: deleteVote
Gerrit-Change-Id: Ib585dcfc2c3f641268ceded19e0ea5c551d97ae1
Gerrit-Change-Number: 17204
Gerrit-PatchSet: 1
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)